What stops an attacker from extracting the salt from a BCrypt hashed password?

Asked Sep 22 '21 at 11:57

Active Sep 22 '21 at 11:57

Viewed 27 times

My understanding from my initial reading of how BCrypt hashes passwords is that it:

takes the raw string
hashes it using a random salt
appends that salt to the end of the hash (https://stackoverflow.com/a/6832628)

Then when verifying a supplied password, it:

takes the supplied password
retrieves the hashed password
finds the salt from the end of the hashed password
hashes the supplied password using the salt from the stored password
checks whether the two are the same

My question is - if the salt is appended to the hashed password, what stops a human from a) finding it and b) potentially using it to brute-force finding a password ? Does it not negate the benefit of having a random salt rather than a known, but not stored, one?

asked Sep 22 '21 at 11:57

Chris A

2

Nothing, the salt is not there to prevent brute forcing a password. The salt is there to prevent precomputing a huge table of hashed passwords aka a "rainbow table". [Here](https://crackstation.net/hashing-security.htm) is a good tutorial. – President James K. Polk Sep 22 '21 at 12:29

What stops an attacker from extracting the salt from a BCrypt hashed password?

0 Answers0